PSX Extreme

Site Stats

Sony Employing "Social Engineering" Tactics For PSN Security

Last year's hack of the PlayStation Network was deemed a "wake-up call" by many experts.

Since that time, Sony has taken strides to make sure it doesn't happen again.

This is why they've brought on former McAfee Chief Security Officer Brett Wahlin to assist; in speaking to Secure Business Intelligence, he talked about the key points of interest for a new and improved PSN (or now, SEN). First and foremost, one must understand their enemy; i.e., social groups like Anonymous looking to make a statement:

"The types of attacks we see are by groups with social agendas. The methods they use aren't the same as the state-sponsored guys. At Sony, we are modifying our programs to deal less with state-sponsored [attacks] and more with socially-motivated hackers. It will be different."

So in other words, Sony security people have to act like social engineers, and that means constantly monitoring staff and users around the world. Basically, they see any Sony employee as a potential target as they all have different levels of access to the network and different levels of vulnerability. Wahlin says it's important to adapt and create strategies based more on general behavior and psychology.

We are looking to see if there are there key elements within a person's interaction with their environment. That could be interaction with badging systems, with telephones - when and who do they call- and with systems like browser habits and applications used. All these things allow us to set up a pattern for users, so when something different happens we can respond."

Security experts will tell you that for the most part, hackers are often one step ahead of security software. But at least Sony is doing what they can to insure their Network doesn't suffer a repeat failure and in truth, it's all anyone can really do, right?

Comments (13 posts)

I was proud of my programming classmates yesterday. As we were waiting for teacher, the Xbox vs PS3 debate came up and overwhelmingly the class asserted that PS3 was their preffered platform and many thought Xbox LIVE being $60/year - $12/month was a complete rip off. One guy tried claiming that LIVE's online play was better as he was talking out his butt. I spoke out against that ;)But anyway, a good many did seem to be scared to put their CC information into PSN due to the hacker thing that happened last year. So hopefully SOny's efforts to regain consumer internet security trust succeeds. Anyway, it's good to know that in some public communities it's pro PS3 all the way =)Last edited by Temjin001 on 3/15/2012 11:00:12 AM

People should learn that putting their CC information into an online service (ANY online service) like PSN is like living in Tornado Alley. You live with the fear and certainty that a tornado will happen, but at the same time you know that the chances of any given town being hit are actually very small, and it's just as likely to hit the next town over as it is to hit yours. So year after year you live there, and each time there is a storm, you take care of yourself.

Online hacking is a fact of life. The PSN hack was most remarkable for the media coverage, not the data stolen, nor the consequences to individuals. To my knowledge not one consumer has had their money or identity stolen as a direct result of the PSN hack. Plenty of people have lost their money and identity due to numerous other hacks, including hacks of financial institutions. So like living in a tornado prone location, you know the risk you are taking and you take precautions against it. But you keep things in proportion.

I agree.Sony was far from the only target last year and it was blown way out of proportion.Meanwhile so many people have been losing money through Live and MS claims it is due to fishing scams.Many of the people were not even on Live for months and MS still blames Fifa!The media tends to ignore when the big bad MS screws up but jumps all over Sony.

Actually, the most effective strategy for tornadoes is to have a good warning system, radar and sirens, and to make sure that you have a safe place to go to. Usually a storm shelter (not just a basement) that is below ground and designed to withstand the storm. building a stronger house is no little use because a moderately strong tornado can tear anything apart. An EF5 can scour the road surface from the ground, so there will be little left of a home that is built to any standard except that of a bomb shelter.

In fact I think that the most effective security strategy for service providers like Sony is very similar. Your perimeter defenses must be strong enough to rebuff casual attempts at attack, but also smart and sensitive enough to detect any level of penetration of the security. They must provide the warning that radar and sirens provide with tornadoes.

Then, like the storm shelter, the network must be designed in layers with sensitive data stored more securely and in such a way that it's possible to decouple the sensitive data from the rest of the system in the case of a successful intrusion. just as you would with a significant tornado, when the siren sounds you check the radar and get in your shelter. If the storm actually tracks over your area, you slam the door closed and hang on to those that are most valuable to you. With a network, you slam the door closed if an intruder is working on the layered security around the secure data. The storm may destroy the house, but the valuable things - lives - are safe.

In many ways Sony did this with the PSN hack. They took the rather drastic action of downing the entire network in order to severe the attackers from the data. They slammed the door closed. Of course their warning system could have been better, but what they did was effective. What Sony needs to do in the future is have better perimeter defense, and detection. Along with a layered approach so that they can detect and terminate intrusions quickly. They must maintain more than one layer of security around sensitive data. Only if that storm comes right over the house (in other words an intrusion breaches multiple layers of security) would they need to close the door on the shelter. Even if attackers tore up the rest of the network's security, maintaining the security of the data is paramount. Just as in a tornado, the storm can completely destroy a home, but maintaining the safety of the residents is the most important thing.

Believe it or not, the roof flies off because the rest of the house implodes below it allowing the tornado to 'suck' the roof upwards.

You can build tornado resistant homes, but there's not a lot that can resist an EF5. Even a tornado resistant home is going to take damage to doors and windows, even if it remains structurally sound. The purpose of making them tornado resistant is to protect the occupants,not so much the home. It's been very educational living in a tornado prone area, I can tell you.

BTW, Norway and the UK do get tornadoes, they are just typically weaker, and often coastal. Usually they'll be termed water spouts because they occur over water. Sometimes tthey do happen on land, but it's far rarer than in places like Illinois, Arkansa, Missouri, Kentucky, Tennessee or Indiana.

Any company on the planet can be social engineered. Until you remove the human component from the equation entirely, it's not going to go away. You can educate employees, put security policies into place, and even have an internal pentesting team, but all it takes is the one single user that is either to trusting or doesn't care and the keys to the kingdom are given out.

I've done this for the PSN (SEN) as I just started using Music Unlimited in Canada and there isn't an option when you first sign up to use PSN cards(which I've been doing for some time now).

With a low limit card, if it does ever happen, not much is available to the person stealing the identity.

Most companies now a days check usage and if it's out of the norm, they'll contact you, or send you another card (this happened to me last year when I used a Japanese website to order....I received another card from my bank, stating the site had been previously compromised and just to be safe another card was issued to me).